3rd Party Risk Management , Governance , IT Risk Management

Senator Demands Review of How DHS Shares PII With Contractors

Sen. Maggie Hassan Asks GAO to Scrutinize DHS' Third-Party Security Practices
Senator Demands Review of How DHS Shares PII With Contractors
U.S. Sen. Maggie Hassan

Sen. Maggie Hassan, D-N.H., is demanding that the U.S. Government Accountability Office review how the Department of Homeland Security shares personal data with third parties following several recent security incidents in which such information was exposed.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

In an Oct. 23 letter to the GAO, Hassan writes that recent "troubling" security incidents connected to third-party contractors working with DHS have raised concerns about the increased threats of identity theft and fraud from data that may have leaked.

While DHS collects and maintains a large volume of citizens' personally identifiable information as part of its law enforcement mandate, it increasingly depends on third parties for storing and securing large volumes of that data, and attackers have succeeded in exploiting security loopholes to access this data, the lawmaker notes in the letter.

A GAO spokesperson tells Information Security Media Group that the letter will "go through a review process before we take any action. That review usually takes a few weeks."

A DHS spokesperson, and Hassan's office, did not respond to a request for additional information.

Three Incidents

Hassan, who serves on the Homeland Security and Governmental Affairs Committee, cites three incidents that happened between March and June that have raised questions about how DHS shares data with third parties as well as the inability of some contactors to secure that data.

These incidents include:

  • In March, the Inspector General's Office found that the Federal Emergency Management Agency, a unit of DHS, shared too much personally identifiable information with third-party contractors. This included information related to 2.3 million citizens affected by hurricanes and wildfires over the last several years.
  • In June, U.S. Customs and Border Protection, another DHS unit, announced that license plate images and photos of travelers collected at the U.S. border had been compromised after a federal government subcontractor was hacked. In this case, the images of about 100,000 travelers were exposed and an initial investigation found that the contractor did not follow security protocols outlined in its contact with the agency (see: US Border License Plate and Traveler Photos Exposed).
  • News stories emerged that DHS stored sensitive data from the nation's bioterrorism defense program on insecure websites where it was vulnerable to attacks. Those sites were run by a third-party contractor, according to the Los Angeles Times.

These three incidents raise questions about how much data DHS should share with third parties and whether those policies need to be reviewed by the GAO, Hassan writes in her letter.

"We request the GAO to conduct a review of the policies and procedures in place at DHS to ensure that PII collected by or shared with contractors is protected from improper access or use," the senator writes.

Privacy Concerns

In her letter, Hassan requests GAO consider three questions:

  • What requirements does DHS impose on contractors to protect personally identifiable information that they receive or collect on behalf of the department?
  • What oversight mechanisms are in place at major DHS units to ensure that contractors fully adhere to the department's security and privacy policy?
  • When data breaches do occur, what steps does DHS take to ensure that the root causes are identified and remediated in contractor systems and programs?

Hassan's letter was the second she's sent to GAO this month raising concerns over cybersecurity issues.

On Oct. 18, Hassan asked the GAO to investigate how the federal government supports local and state governments following ransomware attacks. These types of attacks against municipalities have been on the increase since the start of the year (see: Just How Widespread Is Ransomware Epidemic?).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.